<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
<%
	request.setAttribute("username", "<jac02>");
	request.setAttribute("password", "<script>alert('hello')</script>");
%>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>coreTag</title>
</head>
<body>
<jac02>
<c:out value="${username}" escapeXml="false"></c:out> <!-- 页面隐藏看不到,但是页面源代码有 -->
<c:out value="${password}" escapeXml="false"></c:out> <!-- 会弹框,页面不会输出文字 -->
<c:out value="${password}" escapeXml="true"></c:out> <!-- 不会弹框,页面输出文字 -->
</body>
</html>